1 reply

The certificate cannot and should not be made to never expire and therefore any device embedding it should always be able have it updated. It would not be sensible to embed the IoT Platform's cert as this will always be expiring sooner than any of the authorities in its chain. It is also more likely to be revoked than any of the authorities' certificates, if the SSL implementation is checking revocation.

Any device should be able to receive updates for firmware, especially for updates that update the SSL implementation (which should include updates to trusted authorities. It is possible to end up with dead devices if this is not done timely for the certificate used to trust the IoT platform. Therefore its important to get this right!

The IoTP certificate expires in 2017 as you note. It will obviously be replaced before then. The first authority in its chain is DigiCert SHA2 Secure Server CA which expires in 2023. Its signer is DigiCert Global Root CA and that expires in 2031. Therefore, as it stands you could get until 2031 just by embedding DigiCert Global Root CA. You should always still expect to need to update this trust as there is no assurance that IoTP will continue to use DigiCert. You are best off with a spread of the most common CAs as browsers do, and also expecting to need to update devices to keep their trust fresh and avoid them becoming dead.